A
A
AkZwork2019-06-08 03:18:00
openvpn
AkZwork, 2019-06-08 03:18:00

How to direct all traffic to VPN in Mikrotik except for certain addresses?

Hello!
The task is to wrap all connections on the VPN.
However, some clients are already working under VPN, so there is no point in wrapping it twice.
What to do in the following situations:
1. Wrap all traffic in VPN except for certain IPs
2. Wrap all traffic in VPN except for certain *.host.com domains or subdomains *
3. Wrap all traffic in VPN except for certain IP + excluding certain devices ( customers)
Thank you.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
A
Alexander Abakumov, 2019-06-08
@nops

Mark traffic.
For example, take articles, there are just some on Habré, on setting up 2-3 providers for Mikrotik.
Do the same by analogy. Imagine that VPN is the second provider and go.
Everything is done in 30 minutes.
Only when you do it through winbox, press this button:5cfb4e07235fe534993131.png

U
Uragiremono, 2019-06-11
@Uragiremono

Initial data:
WAN - ether1, access to the provider
172.20.10.2/24 - address received from the provider
172.20.10.1 - its
LAN gateway - 192.168.1.0/24
VPN - ovpn_client
10.10.10.2/32 - address received from the VPN server
10.10. 10.1 - its gateway
with the add-default-route=yes option, all traffic should go through the VPN by default
. The theory is that now all traffic goes through the VPN by default.
You need to mark the right traffic and send it to the right route.
1. Wrap all traffic in VPN except for certain IPs

# создать список адресов, которые не должны идти через VPN
ip firewall address-list add list=exclude_list address=192.168.1.10
ip firewall address-list add list=exclude_list address=192.168.1.11

# маркируем пакеты
ip firewall mangle add chain=prerouting action=mark-routing dst-address-list=exclude_list new-routing-mark=ether1_route_mangle passthrough=no src-address=192.168.1.0/24

# изменяем маршрут, который идёт к провайдеру
ip route add dst-address=0.0.0.0/0 gateway=172.20.10.1 distance=1 routing-mark=ether1_route_mangle

2. Wrap all traffic in VPN, except for certain *.host.com domains or subdomains *
The same as in option 1, but instead of IP, enter the domain
ip firewall address-list add list=exclude_list address=host.com
ip firewall address-list add list=exclude_list address=test.host.com

3. Wrap all traffic in VPN except for certain IP + with the exception of certain devices (clients)
Is this the same as the first option?
"certain devices" has an IP/domain, just add them to the list

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question